IDAT Loader

Cybersecurity researchers have discovered an attack campaign, identified as a threat to a Ukrainian Trojan called the Remcos RAT, facilitated by a malware loader known as the IDAT Loader. The Computer Emergency Response Team of Ukraine (CERT-UA), tracking the threat actor as UAC-0184 (TA544), has attributed the attack.

The attack, executed through the use of IDAT Loader, incorporates steganography as a technique. Although steganographic, or 'Stego,' techniques are widely recognized. Steganographic techniques involve concealing information within another medium, such as hiding data within images, audio files, or other digital content, to enable covert communication without attracting attention. It is crucial to comprehend their role in evading defense measures.

The IDAT Loader Facilitates the Delivery of Next-Stage Malware Payloads

The IDAT Loader, having similarities with another loader family named Hijack Loader, has been actively deploying various payloads, including DanaBot, SystemBC, and the RedLine Stealer, over several months. This loader has been employed by a threat actor identified as TA544 to disseminate the Remcos RAT and SystemBC through phishing attacks.

The phishing campaign, initially disclosed by CERT-UA in early January 2024, involves using war-themed baits to initiate an infection chain. This chain ultimately leads to the deployment of the IDAT Loader, which utilizes an embedded steganographic PNG to locate and extract the Remcos RAT.

The Remcos RAT is Often Deployed in Cybercriminal Campaigns

The REMCOS RAT stands as a prevalent Remote Access Trojan extensively employed in both cybercriminal and espionage endeavors. Renowned for its capability to seize control of computers, REMCOS can gather keystrokes, audio, video, screenshots, and system data while also facilitating the delivery of additional malware payloads. Typically, this malware is propagated through phishing emails containing malicious attachments or links, leading to the installation of the RAT. Notably, REMCOS has been observed to be distributed through various means, including malware loaders. The malware has been maliciously utilized since the mid-2010s.

Upon successful execution of REMCOS, the threat actors gain comprehensive control and surveillance capabilities over the target system. This enables them to clandestinely exfiltrate sensitive data over an extended period, potentially avoiding detection. The utilization of such sensitive information, depending on the target, carries the risk of victims facing blackmail, potential job loss if company data is compromised, and the theft of organizational data. This pilfered data could then be exploited to orchestrate large-scale, sophisticated attacks, resulting in severe and possibly irreparable harm to the affected organizations or individuals' livelihoods.

Ukraine Remains a Target of Cybercriminal Attacks by Hacker Groups Aligned with Russia

CERT-UA has also warned of a targeted cyberattack aimed at infecting the computer systems used by the Armed Forces of Ukraine with the Cookbox backdoor.

According to CERT-UA, an unidentified individual distributed an XLS document named '1_ф_5.39-2024.xlsm' via the Signal messenger among several military personnel, claiming to have issues with report formation. The said file contained an additional VBA script that triggered the download and execution of a PowerShell script named 'mob2002.data.'

The PowerShell script downloaded from GitHub makes some changes in the OS registry. More specifically, it drops a base64-encoded payload in 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\XboxCache,' which ultimately executes the Cookbox malware. Cookbox is a PowerShell script that implements functionality for downloading and executing PowerShell cmdlets.

Dynamic DNS services (such as gotdns.ch, myftp.biz) and Cloudflare Workers are utilized for the operation of command and control servers. The described activity, tracked as UAC-0149, has been ongoing since at least autumn 2023, according to the data revealed by the researchers.